My Lords, Amendment 81B seeks to place a duty on the Investigatory Powers Commissioner to ensure that the data-protection rights of citizens are considered and protected under the public service delivery power. The effect of this amendment would be to impose similar duties on the Investigatory Powers Commissioner as are already carried out by the Information Commissioner. It is for that reason that we do not consider that this amendment is necessary. I understand the points that the noble Lord, Lord Collins, has made in this context. We are all concerned to ensure that these powers are ring-fenced as far as is reasonably practicable and that any breach should be policed to the extent required. However, in our view, the Investigatory Powers Commissioner is not the appropriate party to deal with this matter. The Bill is not about investigatory powers, and accepting this amendment would result in a substantial and, as I sought to indicate earlier, confusing addition to the portfolio of the Investigatory Powers Commissioner.
We are of course concerned that there should be public confidence in the provisions of the Bill and in the whole body of data-sharing powers. I understand the observation of the noble Lord, Lord Collins, that the Investigatory Powers Act does everything possible to ensure security is there, so that only the given powers are exercised and that the rights of the individual are put at the head of any agenda, but that is clearly the intention of this Bill as well. That can be
achieved by having regard to the position of the Information Commissioner in the context of the present provisions.
I understand and indeed admire the noble Lord’s suggestion that we should in some sense be seeking to future-proof the Bill. There are limits to our ability to do that, but I will return to that point in the context of the regulations that come into force in May 2018. We have already had regard to that in order to try to ensure that the provisions of the Bill will comply with imminent regulations, such as those I have just referred to.
The noble Lord also raised the question of confidentiality and the concerns that have been expressed by the medical profession in that context. Let us be clear that, as noble Lords will recollect, common-law obligations of confidentiality are rarely if ever absolute. We know that various common-law issues of confidentiality tend to be subject to one qualification or another. Concerns have been expressed over the interaction between the provisions of the Bill and medical confidentiality, primarily in respect of the statutory override within the Bill. The provisions of the Bill are clear that sharing data under the powers in the Bill does not breach any existing duty of confidentiality. That includes the common-law duty of confidentiality to the extent that it applies to patient information.
The use and processing of medical information is governed by common law, but also by the Data Protection Act 1998, by the provisions of the Human Rights Act 1998 and indeed by specific legislation which allows, requires or prohibits certain uses of such data. There is no blanket ban on the use of medical information outside the patient-doctor context, and it is not the case that every instance of sharing such information will constitute a breach of confidentiality. Indeed, the General Medical Council’s 2017 guidance expressly states personal information can be disclosed,
“without breaching duties of confidentiality”,
in particular circumstances, one of which is where the disclosure is,
“approved through a statutory process that sets aside the common law duty of confidentiality”.
So it is acknowledged by the General Medical Council itself that this may occur from time to time, and the provisions of the Bill are structured to reflect this. They override duties of confidentiality only in order to ensure that public authorities have clarity in terms of what they can and cannot share under the powers of the Bill. I hope that goes some way to meeting his concerns about confidentiality in that context.
Amendments 84, 87, 119, 138 and 213, which are also in this group and were referred to by the noble Baroness, Lady Janke, cover a broad range of suggested additional safeguards and restrictions on the use of the powers. They seek to introduce, among other things, an express data minimisation rule, a requirement to conduct and publish a privacy impact assessment and provisions extending the Information Commissioner’s powers in respect of enforcement notices. They also introduce a provision enabling data subjects to request that inaccurate personal data disclosed under the powers be amended. We are firmly of the view that while all of these requirements represent important safeguards on
the use of our powers, they are already provided for in different ways under the Bill, the codes of practice or existing legislation, including in particular the Data Protection Act 1998. Indeed, under the DPA only the minimum personal data necessary may be shared to achieve the particular objective, and all personal data that is held must be accurate. I hope that that goes some way the meeting one of the points made by my noble friend Lady Byford about excess data being given to public authorities. That is simply not permitted in the existing legislation, particularly the requirements of the Data Protection Act 1998. Over and above that, the Information Commissioner already has a range of mechanisms to enforce compliance with the DPA. Amendment 213, which would insert a new clause on enforcement notices, would not add to those powers in any material way.
Further, Amendment 213 requires certain information to be gathered in respect of the benefits of data-sharing arrangements. Again, that is not necessary: bodies wishing to exercise the powers in these provisions must consider benefits as part of their privacy impact assessment. We acknowledge the importance of privacy impact assessments and, following discussions with the Information Commissioner’s Office, will look to return to this matter on Report to address concerns about public authorities’ adherence to the Information Commissioner’s specific guidance on privacy impact assessments, as well as privacy notices. I hope noble Lords will accept our willingness to return to that matter in due course.
Amendment 213 would bar the processing of personal information under the powers for particular purposes. With respect and understanding of what lies behind the amendment, our approach is simpler and more complete. There are specific limited purposes for which personal information can be disclosed under Part 5 of the Bill. Other than a few limited exemptions, the disclosure or use of personal information for other purposes is not permitted. Tough new criminal sanctions will apply to all unlawful disclosures.
Amendment 87 seeks to introduce a duty to review in the public service delivery power, akin to the existing duty in the debt and fraud powers. All data-sharing arrangements under the debt and fraud powers have to be piloted and reviewed after three years to ensure that the powers deliver demonstrable benefits. The public service delivery powers are different in kind, being more conventional data-sharing powers, constructed specifically to improve the delivery of services to citizens in cases of acknowledged need, such as assisting those suffering from fuel poverty.
On that point, my noble friend Lady Byford essentially raised the question of definitions—what do we mean by “fuel poverty”, “well-being” and “warm home discount”, as mentioned in Clause 31? All this is dealt with in Part 2 of the Energy Act 2010, which contains the schemes referred to in Clause 31(3)(a). I hope further consideration of those provisions of the Bill may go some way to meeting her concerns about those definitions.
On the question of private fraud, of course we are alert to the idea that where there is data sharing there may be data intrusion, and we are determined to guard against that. That is why we seek to ring-fence
these powers in the way that we do in the Bill. We have not claimed that any system we introduce will inevitably be infallible; history tells us that where we ring-fence, people will seek to go under, over or through such a fence. However, we shall try to ensure that all data that are shared in this context are kept as secure as we reasonably and practicably can keep them.
Amendment 88 would change the definition of “personal information”, a point raised by the noble Baroness, Lady Hamwee. The point here is that in the current draft “personal information” includes “a body corporate”. The existing definition is intended to capture all persons, including all corporate bodies, to ensure that taxpayer information, including that of bodies corporate, is protected irrespective of the size of the organisation. Narrowing the definition would limit the protections for HMRC data under these powers, which would be likely to affect significantly HMRC’s willingness to make use of the powers. I am sure the noble Baroness is aware that the disclosure of data by HMRC is subject to additional statutory controls quite distinct from the provisions of the Bill, and these have to be factored in. This is where the term “official” comes into use because the existing statutory legislation uses that term in the context of data and disclosure. Therefore, for the purposes of consistency, that term is used in this context. It is not an attempt to suggest that the janitor, or anyone else, should be responsible for disclosing relevant information—certainly not the commissioners of revenue in isolation.
Amendments 87 and 93 are also in this group. Clause 33(7) provides that a disclosure under the public service delivery power does not breach any obligation of confidence or any other restriction on the disclosure of the information. This provision ensures that public authorities can be confident that their disclosure is lawful, provided that they comply with the strict requirements of this legislation. To remove that subsection would undermine a primary objective of providing authorities with the legal certainty required to ensure efficient and effective data sharing under these powers. In other words, where they satisfy the requirements of this legislation, they do not have to go back and worry about any aspect of the common law of confidentiality on individual occasions, which would effectively make the provision unworkable.
Amendment 93 seeks to expressly exclude health data from the public service delivery clauses. I have already touched upon this. The Government believe that this amendment, while well intentioned, is unnecessary and would lead to the kind of legislative barriers that the Bill is designed to overcome. As I have indicated before, the Government recognise the particular sensitivities around identifiable health information, and indeed this was highlighted in the National Data Guardian’s recent review of data security, consent and opt-outs. For this reason, health bodies in England are not included in the draft list of bodies that will be permitted to use the powers in the Bill. Health and adult social care information, however, could potentially be of considerable assistance in bringing benefit to individuals, as this power aims to do. I acknowledge that we may wish to bring such bodies within the scope of these powers in future, but we will form a
view on this after the implementation of the National Data Guardian’s recommendations and public consultation on the issue. We believe it would be wrong to rule out that possibility until that debate has been concluded. However, I underline the point that at present health bodies in England are not included in the draft list of bodies that will be permitted to use these powers.
I turn to Amendment 100. Clause 34(8) provides that the prohibition on onward disclosure, and its associated provisions, do not apply to personal information disclosed by HMRC. The amendment seeks to remove that provision. There was a suggestion that someone was seeking consistency here. Throughout Part 5 of the Bill, in order to take account of HMRC’s statutory duty of confidentiality and maintain consistency with the existing statutory framework in respect of HMRC information, the Bill contains separate provisions for the disclosure of information by HMRC. Criminal sanctions apply to the disclosure of HMRC information, but it is all framed slightly differently in order to be consistent with earlier statutory provision. I refer in particular to the Commissioners for Revenue and Customs Act 2005, which already covers these areas. The effect of the noble Baroness’s amendment would be to create two regimes for disclosing HMRC information under this power. We suggest that that would undermine consistency between Part 5 of the Bill and the provisions that already exist under the Commissioners for Revenue and Customs Act 2005. I hope that that goes some way to explaining why HMRC, though not a special case, is dealt with slightly differently within Part 5.
The noble Baroness, Lady Byford, then referred to Amendment 196. Again, in the context of accountability for public interest disclosures of non-identifying HMRC information, the aim of Clause 65 is to enable Her Majesty’s Revenue and Customs to meet requests from external organisations to provide aggregate statistics or general information, which is what other government departments do. Safeguards for disclosure of personal information will continue to apply for the reasons I have already alluded to. This amendment, again, would be inconsistent with HMRC’s existing statutory framework which authorises officials to act on behalf of the commissioners of revenue. It would not be practicable for the commissioners of revenue to have to deal with each of these requests. Indeed, it would be an unnecessary use of public resources if that was the case.
The noble Lord, Lord Clement-Jones, raised a point that appears to have prompted a note from the Box which I have not yet read. I shall scan it now. And I will undertake to write to the noble Lord. On that occasion, I will use typescript.
In those circumstances, I invite noble Lords not to press these amendments.
7 pm